Jump to content

Are my AutoIt exes really infected?

JSThePatriot
 Share

Recommended Posts

topten Universalist

topten

Posted
Posted

2. Why the AV doesnt react on Process Hacker - which can kill the av, but gives trojans for a simple application MsgBox.exe?

I will try to paraphrase:  Why AVs dont react when you start Process Hacker.exe - and at the same time AVs are checking Autoit made exes with a simple content, something like msgbox (0, "", "") and keep saying that it is trojan

Is this way more understandable?

Link to comment
Share on other sites
  • Replies 290
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Jon
Jon

Maybe we just have most popular AV vendors explicitly (just in case an external link to a more in depth guide gets removed). Easier for us to maintain that way but still useful for the majority.

Jokerman
Jokerman

I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected mont

gi_jimbo
gi_jimbo

I'm not a regular contributor here but if the @argumentum digital signing tool works, I think it would be good to add it to the "AutoIt and Malware" page (https://www.autoitscript.com/wiki/AutoIt_and_

Posted Images

BrewManNH Universalist

BrewManNH

Posted
Posted

I would assume it's because Process Hacker is a known piece of software, and being known, AV software knows what it does and doesn't flag it as a virus or malware because of this.

Very few of the well known AV software companies would flag an AutoIt script like that as a trojan. Shitty AV software might, or one that has a bad signature file update.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites
grisina Seeker

grisina

Posted
Posted (edited)
However, I would argue that it shouldn't take more than 2 seconds to figure this out. If you know enough to want to disable UPX, you should know it's a compressor therefore a quick look at the options will provide only one with "UPX" and "compress" in the name. Maybe it is mis-named and not implemented right, but I don't think it takes a computer science degree to figure out what it's for if you know enough about UPX to want to disable it in the first place. 

 

Edited by grisina

интериорни врати

Link to comment
Share on other sites
BrewManNH Universalist

BrewManNH

Posted
Posted (edited)

That site isn't used in the _GetIP function, so I'm not sure what you're referring to.

EDIT: Just found it, that site was in the old _GetIP function back in 3.3.10.x but has been gone for over a year. You need to upgrade.

Edited by BrewManNH

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites
  • 4 weeks later...
qwert Universalist

qwert

Posted
Posted

I just wanted to add this to the heap (of false positives).

I've used Microsoft Security Essentials for two years with no detection problems.  But one of the definition updates a couple of weeks ago starting flagging an exe here and there.

But the latest one (today) halted a compile.  I'll look into sending this one in ... but it's discouraging to see them start to cast a wider net.  "Severe", they declare ... with no real knowledge of what's in the net.  "To a man with a hammer, everything starts to look like a nail."

I don't use UPX and I'm on Win7 Pro, using 3.3.12.0

post-29172-0-72902800-1427317264_thumb.p

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

It is humorous to me that a sticky thread started to give people answers to their questions regarding false positiives, and thus keep them from unecessarily posting every time they see an AV issue with a script, is now 5 pages deep with people doing just that :)

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
qwert Universalist

qwert

Posted
Posted

 

unnecessarily posting every time they see an AV issue with a script

I, for one, don't see it that way at all.  AV detection is an evolving situation.  Whenever there's a significant development (for me, a change in MSE after 2 years of use), people need to have some way to become aware.

This thread—or some other one, if you prefer—should be about AV Issue Awareness.  If AU3 is ever going to break out of being looked at as a fringe language, it's going to have to come through wider awareness.  And making AV issues and the associated impact known can only help.

Again, my opinion.  Yours may differ.

Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted

Again, my opinion.  Yours may differ.

Correct and also disagree ;)

This thread is about informing people what False positives are and where they should go for getting them fixed.

The original intent was to avoid the creation of unneeded threads&posts on this topic.

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
JohnOne Universalist

JohnOne

Posted
Posted (edited)

People are going to post about alerts, no matter what.

Better in here I say.

EDIT:

Also, most of the posts in here are just discussion rather than alert reports.

Probably only about a dozen reports.

Edited by JohnOne

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites
  • 1 month later...
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted

Symantec Released this today: Killing all my scripts out in the field and removing them via quarantine. 

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2015-050111-5257-99&vid=4294922793

I guess I should submit a false positive report but the damage is done pretty fast :/

 

​Are you seriously expecting an answer assuming you read the initial post in this thread?

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

 

I guess I should submit a false positive report but the damage is done pretty fast :/

​You admit you know what you should do...

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...